Here are two batman-adv bugfixes:
- fix a potential double free when fragment merges fail, by Sven Eckelmann - fix failing tranmission of the 16th (last) fragment if that exists, by Linus Lüssing -----BEGIN PGP SIGNATURE----- iQJKBAABCgA0FiEE1ilQI7G+y+fdhnrfoSvjmEKSnqEFAli27gkWHHN3QHNpbW9u d3VuZGVybGljaC5kZQAKCRChK+OYQpKeofqQD/0Z/wUItUuS1pODZdcHLrhvc9q0 0O2L0Uujzm+IHRXkv+3ZatedM3vnqq03w2WIdOf3BAPbkvY+zXO4TRQziE8PKy1p aMdC4A/jeGg1c7+PSx+mxhUbRsdP8cdkO3A5AgQxYjbXBlH59595thM8p6CUnWZ0 M4YPaI7dd3XXWYvfaQ1fBcqwhy6z9uiisv5HF99jxkaFEM2ApK8LOhbmsfJbS13M aPgpq/Hjde/RrDGNElmmkWYWdsGAJMnHHVCbX0e3yehJdDZeXciak4BGO0Y2HUHX y7M8zjmYIkha2AnmO/3rl1PdOuX/5i43Haf31ojbXx4wK4RbPG6n2NoIngRhND3E PRP5t3pzZq/N4nAd9Aj+NSiJadxcrnz26sX0stmVIkbAnEUvsG1yNYUP0squL0bn G4EjUafyKonVbayMA90lFKvXujrm3rr0q7AcgpcuJJWWRMe0oHEjbaaIz2jh722S S0yeoKbmaXa2Skxfe68Ptajb+ODSpsL758vRhXS/ZTFWV/3iE8wPRRKil/mkeyL/ pqFF+qxDjRI9S/Hku1A8cegjeBAfBtCxV7A35RP1MCNjv2iltGtBNLLUqiJ9i/C8 REvrAIgaIIsZb01yi2mLVCNg7PEg/0lD8sulqH5Dkv3amSBZr0EsmulBZMoDdgwS 7YLi2mqa5eXfGheNOQ== =xy9Y -----END PGP SIGNATURE----- Merge tag 'batadv-net-for-davem-20170301' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are two batman-adv bugfixes: - fix a potential double free when fragment merges fail, by Sven Eckelmann - fix failing tranmission of the 16th (last) fragment if that exists, by Linus Lüssing ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
6ab2b999e7
@ -239,8 +239,10 @@ err_unlock:
|
|||||||
spin_unlock_bh(&chain->lock);
|
spin_unlock_bh(&chain->lock);
|
||||||
|
|
||||||
err:
|
err:
|
||||||
if (!ret)
|
if (!ret) {
|
||||||
kfree(frag_entry_new);
|
kfree(frag_entry_new);
|
||||||
|
kfree_skb(skb);
|
||||||
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -313,7 +315,7 @@ free:
|
|||||||
*
|
*
|
||||||
* There are three possible outcomes: 1) Packet is merged: Return true and
|
* There are three possible outcomes: 1) Packet is merged: Return true and
|
||||||
* set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
|
* set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
|
||||||
* to NULL; 3) Error: Return false and leave skb as is.
|
* to NULL; 3) Error: Return false and free skb.
|
||||||
*
|
*
|
||||||
* Return: true when packet is merged or buffered, false when skb is not not
|
* Return: true when packet is merged or buffered, false when skb is not not
|
||||||
* used.
|
* used.
|
||||||
@ -338,9 +340,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
|
|||||||
goto out_err;
|
goto out_err;
|
||||||
|
|
||||||
out:
|
out:
|
||||||
*skb = skb_out;
|
|
||||||
ret = true;
|
ret = true;
|
||||||
out_err:
|
out_err:
|
||||||
|
*skb = skb_out;
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -499,6 +501,12 @@ int batadv_frag_send_packet(struct sk_buff *skb,
|
|||||||
|
|
||||||
/* Eat and send fragments from the tail of skb */
|
/* Eat and send fragments from the tail of skb */
|
||||||
while (skb->len > max_fragment_size) {
|
while (skb->len > max_fragment_size) {
|
||||||
|
/* The initial check in this function should cover this case */
|
||||||
|
if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) {
|
||||||
|
ret = -EINVAL;
|
||||||
|
goto put_primary_if;
|
||||||
|
}
|
||||||
|
|
||||||
skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
|
skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
|
||||||
if (!skb_fragment) {
|
if (!skb_fragment) {
|
||||||
ret = -ENOMEM;
|
ret = -ENOMEM;
|
||||||
@ -515,12 +523,6 @@ int batadv_frag_send_packet(struct sk_buff *skb,
|
|||||||
}
|
}
|
||||||
|
|
||||||
frag_header.no++;
|
frag_header.no++;
|
||||||
|
|
||||||
/* The initial check in this function should cover this case */
|
|
||||||
if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
|
|
||||||
ret = -EINVAL;
|
|
||||||
goto put_primary_if;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Make room for the fragment header. */
|
/* Make room for the fragment header. */
|
||||||
|
Loading…
Reference in New Issue
Block a user